Cisco ASA Static NAT Configuration

maher1 · September 26, 2016, 11:09am

Hi Michael,

Normally it should work as Rene has previously explained because the direction doesn’t matter for the ASA, the only thing that matters is what to translate. If you want that the request is sourced from the inside, you can specify “unidirectional” by end of the command of nat(inside,outside) static so the destination addresses cannot initiate traffic to the source addresses.

Hope this can help.

shantel · December 27, 2016, 4:57pm

19 posts were merged into an existing topic: Cisco ASA Static NAT Configuration

ReneMolenaar · August 4, 2017, 6:34am

A post was merged into an existing topic: Cisco ASA NAT Port Forwarding

naveedmasood2000 · November 6, 2017, 9:55am

I need help please

I am using the same topology but but unable to telnet 192.168.2.200 there is an an error % Connection timed out; remote host not responding

lagapidis · November 8, 2017, 7:34am

Hello Naveed

Make sure that all of the commands you have entered are as described in the lesson. Keep in mind also that you will require the use of an access list to allow the traffic to go through, otherwise it will be dropped. Specifically, for ASA versions before 8.3, you will need to issue the following command:

ASA1(config)# access-list OUTSIDE_TO_DMZ extended permit tcp any host 192.168.1.1

For version 8.3 and later, you will have to substitute the “real” IP address for the “NAT translated” address. So the command would look like this:

ASA1(config)# access-list OUTSIDE_TO_DMZ extended permit tcp any host 192.168.2.200

Depending on the version you have, you should put in the appropriate command.

Try it out and let us know your results!

I hope this has been helpful!

Laz

naveedmasood2000 · November 9, 2017, 11:45am

Thanks sorted out this problem

sims · December 17, 2017, 8:00pm

Hi,

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200

Let’s say I have one more subnet 192.168.3.0 wants to nat DMZ host 192.168.1.10 in the same scenario.What we have to do in this case?

Thanks

ReneMolenaar · December 20, 2017, 4:07pm

Hi Sims,

You want users in 192.168.3.0 to reach 192.168.1.10 through 192.168.2.200? Where is your 192.168.3.0 subnet located?

Rene

sims · December 21, 2017, 5:42am

Hi,
I’ ll advertise the network in the internet edge router .
and create static route to asa
In asa do nat

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.3.200

Thanks

ReneMolenaar · December 21, 2017, 10:07am

This will make your host at 192.168.1.1 reachable through 192.168.3.200 yes.

ksschaitanyakumar · February 26, 2018, 5:42am

Hi Rene,

This demonstrates that each IP address in the pool is translated to the “same” IP address in the DMZ. For example:

10.10.10.1 > 192.168.1.1
10.10.10.3 > 192.168.1.3
10.10.10.200 > 192.168.1.200
etc.

How is this gonna happen exactly 10.1 to 1.1, 10.2 to 1.2 etc…?
What if we have more than 255 servers hosted in our DMZ, i.e. pool of ip exhausted?

ReneMolenaar · March 5, 2018, 3:03pm

Hi Siva,

The ASA tries to do a 1:1 mapping, here’s a quick example:

R2#telnet 10.10.10.55

ASA1#
nat: untranslation - OUTSIDE:10.10.10.55/23 to DMZ:192.168.1.55/23 (xp:0x00007f84fc2ea0c0, policy:0x00007f84fda09fd0)

You can see it translates 10.10.10.55 to 192.168.1.55. Here is another example:

ASA1#
nat: untranslation - OUTSIDE:10.10.10.88/23 to DMZ:192.168.1.88/23 (xp:0x00007f84fc2ea0c0, policy:0x00007f84fda09fd0)

Same thing for .88.

This is a 1:1 static NAT so if you don’t have enough IP addresses in your pool, you’ll need to use PAT (port forwarding) instead.

Rene

pavanc.08 · March 25, 2018, 7:34am

Do the above examples define static nat bi-directional?

Also If it translates to IP address in DMZ, what will the packet be like this since IP is already assigned to the host?

pavanc.08 · March 25, 2018, 8:00am

We are translating 192.168.2.200 to 192.168.1.1 to reach the same…normally as explained is translating adress is equal to the webserver ip… in am confused

ReneMolenaar · April 3, 2018, 12:58pm

Hi Pavan,

This is not bi-directional NAT since we only translate one address here. If you use static NAT then you have a 1:1 relation, you can’t use the IP address for any other devices. If that’s what you want, you need to use PAT instead.

As to why we translate like this. Imagine the outside IP address is not 192.168.2.254 but some public IP address. If you want the web server to be reachable from the outside world, you’ll have to use NAT since the web server is using a private IP address.

m.berete · May 3, 2018, 6:48am

I’m new here, how can I save a lesson or add it to favorite list please ?

Thanks

ReneMolenaar · May 11, 2018, 12:05pm

Hello Moussa,

We have a member ideas list here where you can create new ideas or vote on others:

Rene

aquas19 · December 12, 2018, 9:56am

Hi Rene,
When you say the direction does not matter,does that mean that writing the command like (inside,outside) or (outside,inside) becomes irrelevant.If i compare what you explain when the outside client wants to connect to DMZ server inside,your nat statement is

ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200

whereas on this link under the second example

NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)
Step 5
Configure static NAT for the web server.

hostname(config-network-object)# nat (outside,inside) static 10.1.2.20

its the other way round???Please explain.

lagapidis · December 19, 2018, 10:44am

Hello Naila

Let’s look again at the example that Rene was referring to:

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200

This statement will cause a translation from host 192.168.1.1 which is on the DMZ to be translated to a static external IP address of 192.168.2.200. This translation functions both ways, meaning that when 192.168.1.1 communicates with devices on the outside, the source address of this communication will be translated to 192.168.2.200, and when any outside devices communicate with 192.168.2.200, this destination address will be translated to 192.168.1.1.

This does not mean that we can switch the DMZ and OUTSIDE keywords in the NAT command and get the same result. The results will indeed be different.

For example, if the following was configured;

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (OUTSIDE, DMZ) static 192.168.2.200

This statement will cause a translation from host 192.168.1.1 which is on the OUTSIDE to be translated to a static IP address of 192.168.2.200 on the DMZ. This means that when 192.168.1.1 communicates with devices on the DMZ, the source address of this communication will be translated to 192.168.2.200, and when any DMZ devices communicate with 192.168.2.200, this destination address will be translated to 192.168.1.1.

I hope this has been helpful!

Laz

aquas19 · December 19, 2018, 11:21am

Thanks,i think it makes sense now.By flipping the order inside(inside,outside)will change the whole meaning of the direction of the traffic and also the respective natting.

One more question.
When we define a Static Host Entry on the inside and refer to it in the Nat statement,are we saying it will use the Host Ip address.

e.g

object network myServer
host 192.168.1.1
nat(inside,outside)static 10.10.10.100

does this mean that the nat statement already knows the when we type “inside”,it should pick the IP address from the Object Network to be used as the Source.??

I get the idea but just want to confirm the flow of the how to read the NAT statement.

If the traffic was coming from outside to this Webserver,the above should still work as its Bidirectional.
Am i right…??

Thanks